security - Bitlocker disk encryption without admin override

07
2014-07
  • J K

    I am a somewhat paranoid CTO exec that just received a Microsoft Surface with Windows 8.1 and I would like to enable disk encryption to protect my information. I know that bitlocker can be enabled to prevent access from external sources, but I'm just as concerned about internal sources.

    I know my system administrators can see all of my e-mail and all my network activity, and I'm okay with that. However, I do not want them to be able to access my machine while I'm not around using a system admin account, as I have a personal dropbox account and of course I am constantly logged into personal websites at home.

    How can I enable bitlocker and ensure that no one but myself ever has access to my data without my knowledge?

    Things to think about: System admin logging in directly on machine, system admin taking over my session remotely, system admin changing my domain password and logging in with my credentials. I want to protect against any and all unauthorized access except for myself.

    • Answers
  • SLaks

    You can encrypt files using your user account (Properties, Encrypt; this is not the same as BitLocker), which will prevent any other user from reading the file.

    This encryption is based on your login password; if an admin changes your password without entering the old password, the encryption key will be destroyed.

    Note that a malicious admin can still install a keylogger.


    • Related Question

    security - Encrypt shared files on AD Domain
  • Walter

    Can I encrypt shared files on windows server and allow only authenticated domain users have access to these files?

    The scenario as follows:

    I have a software development company, and I would like to protect my source code from being copied by my programmers.

    One problem is that some programmers use their own laptops to developing the company's software.

    In this scenario it's impossible to prevent developers from copying the source code for their laptops.

    In this case I thought about the following solution, but i don't know if it's possible to implement.

    The idea is to encrypt the source code and they are accessible (decrypted) only when developers are logged into the AD domain, ie if they are not logged into the AD domain, the source code would be encrypted be useless.

    How can be implemented this using EFS? or Are there other tools to do this?


    • Related Answers
  • MDMarra

    What's to prevent them from logging in to the domain, opening and decrypting the source code in notepad/VS/whatever, and then copying and pasting the contents to a local file?

    Encryption isn't meant to protect data from users that already have access to it. You have a social/policy problem, not a technical one.

  • Daisetsu

    The problem is that once they have access to the source they could just make a copy and just completely bypass this whole system you are thinking of. If you don't trust someone with data then you shouldn't give it to them, because as soon as they have access they can make copies and do anything they want with it (other than modifying your original copy).

    The best thing you can do is setup a firewall to detect if source code is being transmitted through your network (although this is foiled by encryption), and not allow any sort of storage devices.

  • Walter

    I did some tests using EFS and AD domain. I think the following solution can be used.

    I used EFS to encrypt a folder and gave permission to a user X. When this user login with domain credentials have full access to this folder and can copy all files. (encrypted files!)

    But if the user doesn't login with the credentials of the AD domain, they cannot access the files. Even if he is using the local administrator account on the machine.

    The problem now is that AD remains cached user information.

    Now I need to know if you can configure the AD to authenticate that the laptops only if the server is online and do not let these users to decrypt the files using EFS.

    Have you already implemented something like this?

  • AdamV

    To answer your question as stated: yes, you can encrypt data using EFS and allow multiple AD users to access it. As several others have already pointed out, while this is technically true it is also practically useless. Anyone that can decrypt the file can save, print, copy the decrypted source code, especially if you are letting them do this on machines you don't control.